Discontinue use of the VeriSign G2 Root Certificate. In accordance with industry standards, PayPal will no longer honor secure connections that require the VeriSign G2 Root Certificate for trust validation. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.​

Am I correct in assuming that the way to resolve is to update the CA cert data on the server? ( some threads on StackExchange this route, although not specific to Linux/CPanel: stackoverflow.com/questions/29822686/curl-error-60-ssl-certificate-unable-to-get-local-issuer-certificate

If yes, how is that best accomplished. The more details you can provide the better as SSL is far from my expertise.

Does anyone from CPANEL have any input on this...how do you update the CA certs that PHP/CURL uses on a CPANEL server?

When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. Curl verifies whether the certificate is authentic, i.e. that you can trust that the server is who the certificate says it is. This trust is based on a chain of digital signatures, rooted in certification authority (CA) certificates you supply. curl uses a default bundle of CA certificates (the path for that is determined at build time)...

or should one just download a cacert.pem file from source ( as suggested here: stackoverflow.com/questions/29822686/curl-error-60-ssl-certificate-unable-to-get-local-issuer-certificate ), install it somewhere(??) and point to it in php.ini using curl.cainfo=/path/to/cacert.pem ?

Staff Member

Does this system use EasyApache 3 on CentOS 6 or 7? If so, ensure the "curl-devel" package is installed via YUM, and both Curl and CurlSSL options are disabled in your EasyApache 3 profile. Then, add the following line to /var/cpanel/easy/apache/rawopts/all_php5 (create this file if it doesn't exist):

Code:

--with-curl=/usr

Once you do this, rebuild Apache via EasyApache and verify if the issue persists.

Note this is unnecessary with Easyapache 4 because PHP curl is compiled against the OS-supplied libcurl.